can I get a woot woot

git-svn-id: file:///home/svn/incoming/trunk@2576 4d416f70-5f16-0410-b530-b9f4589650da
2005-06-05 05:42:14 +00:00 · 2005-06-05 05:42:14 +00:00 · 1e6e29ad6d
parent 04a9cbd7ad
commit 1e6e29ad6d
5 changed files with 129 additions and 48 deletions
--- a/lib/msf/core/data_store.rb
+++ b/lib/msf/core/data_store.rb
@ -14,8 +14,8 @@ class DataStore < Hash
 	# all of the supplied options
 	def import_options(options)
 		options.each_option { |name, opt|
-			if (opt.default_value)
-				self.store(name, opt.default_value)
+			if (opt.default)
+				self.store(name, opt.default)
 			end
 		}
 	end
--- a/lib/msf/core/exploit.rb
+++ b/lib/msf/core/exploit.rb
@ -192,41 +192,44 @@ class Exploit < Msf::Module

 	attr_accessor :target, :targets

-end
+  ###
+  #
+  # Local
+  # -----
+  #
+  # The local exploit class is a specialization of the exploit module class that
+  # is geared toward exploits that are performed locally.  Locally, in this
+  # case, is defined as an exploit that is realized by means other than network
+  # communication.
+  #
+  ###
+  class Local < Exploit
+	  def exploit_type
+		  Exploit::Type::Local
+	  end
+  end

-###
-#
-# LocalExploit
-# ------------
-#
-# The local exploit class is a specialization of the exploit module class that
-# is geared toward exploits that are performed locally.  Locally, in this
-# case, is defined as an exploit that is realized by means other than network
-# communication.
-#
-###
-class LocalExploit < Exploit
-	def exploit_type
-		Exploit::Type::Local
-	end
-end
+  ###
+  #
+  # Remote
+  # ------
+  #
+  # The remote exploit class is a specialization of the exploit module class
+  # that is geared toward exploits that are performed against targets other than
+  # the local machine.  This typically implies exploiting other machines via a
+  # network connection, though it is not limited to this scope.
+  #
+  ###
+  class Remote < Exploit

-###
-#
-# RemoteExploit
-# -------------
-#
-# The remote exploit class is a specialization of the exploit module class
-# that is geared toward exploits that are performed against targets other than
-# the local machine.  This typically implies exploiting other machines via a
-# network connection, though it is not limited to this scope.
-#
-###
-class RemoteExploit < Exploit
+	  def exploit_type
+		  Exploit::Type::Remote
+	  end
+  end

-	def exploit_type
-		Exploit::Type::Remote
-	end
 end

 end
+
+require 'Msf/Core/Exploit/Remote/Tcp'
+require 'Msf/Core/Exploit/Remote/DCERPC'
--- a/lib/msf/core/module.rb
+++ b/lib/msf/core/module.rb
@ -41,61 +41,91 @@ class Module
 		# Create and initialize the data store for this module
 		self.datastore = DataStore.new
 		self.datastore.import_options(self.options)
+
+		self.privileged = module_info['Privileged'] || false
 	end

+	#
 	# Return the module's name
+	#
 	def name
 		return module_info['Name']
 	end

+	#
 	# Return the module's description
+	#
 	def description
 		return module_info['Description']
 	end

+	#
 	# Return the module's version information
+	#
 	def version
 		return module_info['Version']
 	end

+	#
 	# Return the module's abstract type
+	#
 	def type
 		raise NotImplementedError
 	end

+	#
 	# Return a comma separated list of author for this module
+	#
 	def author_to_s
 		return author.collect { |author| author.to_s }.join(", ")
 	end

+	#
 	# Enumerate each author
+	#
 	def each_author(&block)
 		author.each(&block)
 	end

+	#
 	# Return a comma separated list of supported architectures, if any
+	#
 	def arch_to_s
 		return arch.join(", ")
 	end

+	#
 	# Enumerate each architecture
+	#
 	def each_arch(&block)
 		arch.each(&block)
 	end

+	#
 	# Return whether or not the module supports the supplied architecture
+	#
 	def arch?(what)
 		return true if (what == ARCH_ANY)

 		return arch.index(what) != nil 
 	end

+	#
 	# Return a comma separated list of supported platforms, if any
+	#
 	def platform_to_s
 		return platform.join(", ")
 	end
+
+	#
+	# Returns whether or not the module requires or grants high privileges
+	#
+	def privileged?
+		return (privileged == true)
+	end
 	
 	attr_reader   :author, :arch, :platform, :refs, :datastore, :options
+	attr_reader   :privileged

 protected

@ -108,7 +138,8 @@ protected
 			'Author'      => nil,
 			'Arch'        => nil,
 			'Platform'    => nil,
-			'Ref'         => nil
+			'Ref'         => nil,
+			'Privileged'  => false,
 		}.update(self.module_info)
 	end

@ -121,8 +152,51 @@ protected
 		(self.method(method_name).to_s.match(/#{parent.to_s}[^:]/)) ? false : true
 	end

+	#
+	# Merges options in the info hash in a sane fashion, as some options
+	# require special attention.
+	#
+	def merge_info(info, opts)
+		opts.each_pair { |name, val|
+			if (self.respond_to?("merge_info_#{name.downcase}"))
+				eval("merge_info_#{name.downcase}(info, val)")
+			else
+				# merge it cool style
+			end
+		}
+
+		return info
+	end
+
+	#
+	# Merges options 
+	#
+	def merge_info_options(info, val, advanced = false)
+		key_name = ((advanced) ? 'Advanced' : '') + 'Options'
+
+		new_cont = OptionContainer.new
+		new_cont.add_options(val, advanced)
+		cur_cont = OptionContainer.new
+		cur_cont.add_options(info[key_name] || [], advanced)
+
+		new_cont.each_option { |name, option|
+			next if (cur_cont.get(name))
+
+			info[key_name]  = [] if (!info[key_name])
+			info[key_name] << option
+		}
+	end
+
+	# 
+	# Merges advanced options
+	#
+	def merge_info_advancedoptions(info, val)
+		merge_info_options(info, val, true)
+	end
+
 	attr_accessor :module_info
 	attr_writer   :author, :arch, :platform, :refs, :datastore, :options
+	attr_writer   :privileged

 end

--- a/lib/msf/core/option_container.rb
+++ b/lib/msf/core/option_container.rb
@ -170,7 +170,10 @@ class OptionContainer < Hash

 	# Return the option associated with the supplied name
 	def get(name)
-		return fetch(name)
+		begin
+			return fetch(name)
+		rescue
+		end
 	end

 	# Adds one or more options
--- a/modules/exploits/windows/msrpc_dcom_ms03_026.rb
+++ b/modules/exploits/windows/msrpc_dcom_ms03_026.rb
@ -1,10 +1,13 @@
 require 'Msf/Core'

 module Msf
-module Exploits
-module Remote

-class MSRPC_DCOM_MS03_026 < Msf::RemoteExploit
+class Exploit::Remote::MSRPC_DCOM_MS03_026 < Msf::Exploit::Remote
+
+	#
+	# This module exploits a vulnerability in a DCERPC service
+	#
+	include Exploit::Remote::DCERPC

 	def initialize
 		super(
@ -21,12 +24,14 @@ class MSRPC_DCOM_MS03_026 < Msf::RemoteExploit
 					[ 'OSVDB', '2100'     ],
 					[ 'MSB',   'MS03-026' ],
 				],
+			'Privileged'    => true,
 			'Targets'       => 
 				[
 					# Target 0: Universal
 					[ 
 						'Windows NT SP3-6a/2000/XP/2003 Universal',
-						[ 'winnt', 'win2000', 'winxp', 'win2003' ],
+#						[ 'winnt', 'win2000', 'winxp', 'win2003' ],
+						[ ],
 						0x74ff16f3, # Windows NT 4.0 SP3/4 (pop pop ret) rnr20.dll
 						0x776a240d, # Windows NT 4.0 SP5 (eax) ws2help.dll
 						0x77f33723, # Windows NT 4.0 SP6a (esp)
@ -36,16 +41,12 @@ class MSRPC_DCOM_MS03_026 < Msf::RemoteExploit
 						0x001b0b0b, # Windows 2003 call near [ebp+0x30] (unicode.nls)
 					]
 				],
-			'DefaultTarget' => 0,
-			'Options'       =>
-				[
-					Opt::RHOST,
-					Opt::RPORT(135)
-				])
+			'DefaultTarget' => 0)
+	end
+
+	def exploit
 	end

 end

 end
-end
-end